Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Feb 2017 16:07:57 -0500
From:      Allan Jude <allanjude@freebsd.org>
To:        "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
Message-ID:  <b08b4252-7910-077b-0a6e-256aa06774ab@freebsd.org>
In-Reply-To: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
References:  <201702191930.v1JJUW3q051018@repo.freebsd.org> <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh
Content-Type: multipart/mixed; boundary="QH7CWWFDu9XBIcTd4Oxnhd1AMCinI8HEr";
 protected-headers="v1"
From: Allan Jude <allanjude@freebsd.org>
To: "Ngie Cooper (yaneurabeya)" <yaneurabeya@gmail.com>
Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Message-ID: <b08b4252-7910-077b-0a6e-256aa06774ab@freebsd.org>
Subject: Re: svn commit: r313962 - in head: etc/mtree sys/boot/geli
 sys/geom/eli tests/sys/geom tests/sys/geom/eli tests/sys/geom/eli/pbkdf2
References: <201702191930.v1JJUW3q051018@repo.freebsd.org>
 <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>
In-Reply-To: <FEC3571D-4183-4386-913D-6854636C102A@gmail.com>

--QH7CWWFDu9XBIcTd4Oxnhd1AMCinI8HEr
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2017-02-19 16:01, Ngie Cooper (yaneurabeya) wrote:
>=20
>> On Feb 19, 2017, at 11:30, Allan Jude <allanjude@FreeBSD.org> wrote:
>>
>> Author: allanjude
>> Date: Sun Feb 19 19:30:31 2017
>> New Revision: 313962
>> URL: https://svnweb.freebsd.org/changeset/base/313962
>>
>> Log:
>>  improve PBKDF2 performance
>>
>>  The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it coul=
d be
>>
>>  GELI's PBKDF2 uses a simple benchmark to determine a number of iterat=
ions
>>  that will takes approximately 2 seconds. The security provided is act=
ually
>>  half what is expected, because an attacker could use the optimized
>>  algorithm to brute force the key in half the expected time.
>>
>>  With this change, all newly generated GELI keys will be approximately=
 2x
>>  as strong. Previously generated keys will talk half as long to calcul=
ate,
>>  resulting in faster mounting of encrypted volumes. Users may choose t=
o
>>  rekey, to generate a new key with the larger default number of iterat=
ions
>>  using the geli(8) setkey command.
>>
>>  Security of existing data is not compromised, as ~1 second per brute =
force
>>  attempt is still a very high threshold.
>>
>>  PR:		202365
>>  Original Research:	https://jbp.io/2015/08/11/pbkdf2-performance-matte=
rs/
>>  Submitted by:	Joe Pixton <jpixton@gmail.com> (Original Version), jmg =
(Later Version)
>>  Reviewed by:	ed, pjd, delphij
>>  Approved by:	secteam, pjd (maintainer)
>>  MFC after:	2 weeks
>>  Differential Revision:	https://reviews.freebsd.org/D8236
>>
>> Added:
>>  head/tests/sys/geom/eli/
>>  head/tests/sys/geom/eli/Makefile   (contents, props changed)
>>  head/tests/sys/geom/eli/pbkdf2/
>>  head/tests/sys/geom/eli/pbkdf2/Makefile   (contents, props changed)
>>  head/tests/sys/geom/eli/pbkdf2/gentestvect.py   (contents, props chan=
ged)
>>  head/tests/sys/geom/eli/pbkdf2/hmactest.c   (contents, props changed)=

>>  head/tests/sys/geom/eli/pbkdf2/testvect.h   (contents, props changed)=

>> Modified:
>>  head/etc/mtree/BSD.tests.dist
>>  head/sys/boot/geli/Makefile
>>  head/sys/geom/eli/g_eli.h
>>  head/sys/geom/eli/g_eli_hmac.c
>>  head/sys/geom/eli/pkcs5v2.c
>>  head/tests/sys/geom/Makefile
>=20
> 	python (2.x) is now a requirement for the build after this commit--thi=
s is problematic for a few reasons:
> 	1. py3k is quickly becoming the defacto version upstream, and sometime=
 in the future will become the one and only version.
> 	2. python is not in the limited path when the build is executed, and u=
nfortunately this path might be triggered if the file that=E2=80=99s gene=
rated is older than the script.
> 	3. Not everyone is guaranteed to install the python port.
> 	Could you please fix this?
> Thanks,
> -Ngie
>=20
> PS. The script that was committed is also not-PEP8 compliant (I see har=
d tab indentation instead of 4-space indents).
>=20

Sorry, I didn't think it actually built these tests unless testvect.h
did not exist.

These tests were written by jmg@, years ago, but by me.

What do you think the best course of action is? Just disconnect this test=
?

--=20
Allan Jude


--QH7CWWFDu9XBIcTd4Oxnhd1AMCinI8HEr--

--MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJYqgkwAAoJEBmVNT4SmAt+aRkQAMX2Xq79ShhTBaz+A7jXKMxr
KF6wPyzCsDOMqUKe9rUJIXm6+UjGiH4llpbADf3O0z4GVO7m+MRpOomR1V4zWOF2
+YcszF6SlNMNOARKFWgKGX//TEr/JeiWaSwgZJNUZSEjbIxMbtu0I2Yr31wrD3IE
Qr0whFe5YbgjslVeaGjBi8axKggxf+i9J4M0x7ZKh7o/mF4Pr768TvrCmHPd0l9H
ozvSvTVpuN4gpf9Z/AZ6et8tfb85dm4oZbRKK1Hh+DmpGnoyR9G4XWaKtU/p2YkT
/NtdoJ0wooHFcWkYBa9HUHSBeWk8Deobjk+3sztMBPMCCfXI0HVKiHOJq1PqdjgI
Pho3/YyO8GztfIfmjsPSP7t/9hn5TPSbS/DmKxP/OLIIKiPpJugSnwlCK1zwhZIk
Fauv3U/ETWSY1EQXoPf17kfcIE409NfaexsDH24rsUOgHKsP3vpD1MH6RL/HZak4
nK3LSZen/Y8W2bvw/2o7OykL+qMbm0d9Kv5HAtPrZat5pNmPal5y3O9qv6M2fQMm
cQ8g/8/j1JwGgktaxAvDX4DhO0EYY1P7t0qEc82wb5qGlyYLPIYqk4RuJc/8BJH7
+FZds4d9d/arFOw1vJYHIlEvhIeoUXLGrXZR+WRFRcZPizow4Wu24jihwLbpJgsq
vtUcquvm1UbA449zSQNB
=X4QP
-----END PGP SIGNATURE-----

--MvUVXPviLnRO6W18Wp1NtbnClPWs6fbTh--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b08b4252-7910-077b-0a6e-256aa06774ab>